A recent Wall Street Journal article began, “think of it as a mansion with a high-tech security system - but the front door wasn’t locked tight." Wrong. Not fair. Not true. Curious.
I would hate to be a info security professional right now.
However, it’s a great time to be info security because there is endless work.
Imagine making your best efforts and that not being sufficient. Imagine that every day someone with serious motivation and increasing sophistication tries to crack the security perimeter around your info treasure trove. Imagine you have loads of personal information or company trade secrets which you spend millions protecting. Imagine hiring the best info security employees, using all the best practices to lock down data and that is still not enough. Imagine for all your efforts the laws don’t care about trying or effort, but penalize you if your info is exposed.
I believe there are many great companies in precisely that situation - loads of data that they have gone to great pains to protect and it is simply insufficient. Many laws now require that anyone impacted by their info being exposed, even when such action is done by a criminal, get notice and sometimes “compensation” for the harm caused.
In the legal world, what this begins to sound like is that there is “strict liability” for data breaches, even when the harm was perpetrated by a criminal. Best efforts may not be protection. Doing the right thing is not enough. Being prudent is not good enough. Only thing that matters is keeping data protected.
Recent attacks include Citibank, ADP, and the US government. All with great incentive to get it right. No one is immune. I know they care and seek to do their best and still desire to get it right. But, technology imperfections and criminal creativity wins.
You can’t spend enough to protect the place.
You can’t be vigilant enough.
No matter what you do, it won’t be enough. A stronger hammer can always find the small window to the front door of the otherwise high tech protected mansion and smash the window and no law can change that.
Data is the Target
3 months ago